What is inside?

1. *Advisory Information* Title: Kaspersky Anti-Virus File Server Multiple Vulnerabilities Advisory ID: CORE-2017-0003 Advisory URL: http://ift.tt/2tYq4Qo Date published: 2017-06-28 Date of last update: 2017-06-28 Vendors contacted: Kaspersky Release mode: Forced release 2. *Vulnerability Information* Class: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) [CWE-79], Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Limitation of a Pathname to a Restricted Directory [CWE-22] Impact: Code execution, Security bypass, Information leak Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2017-9813, CVE-2017-9810, CVE-2017-9811, CVE-2017-9812 3. *Vulnerability Description* From Kaspersky Lab’s website: “Large corporate networks that use file servers running on different platforms can be a real headache when it comes to antivirus protection. Kaspersky Anti-Virus for Linux File Server is part of our range of new and refreshed products, solutions and services for heterogeneous networks. It provides a superior protection with Samba server integration and other features that can protect workstations and file servers in even the most complex heterogeneous networks. It is also certified VMware Ready and supports current versions of FreeBSD for integrated, future-proof protection.” Multiple vulnerabilities were found in the Kaspersky Anti-Virus for Linux File Server [2] Web Management Console. It is possible for a remote attacker to abuse these vulnerabilities and gain command execution as root. 4. *Vulnerable Packages* . Kaspersky Anti-Virus for Linux File Server 8.0.3.297 [2] Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* Kaspersky [1] published the following Maintenance Pack: . Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312): http://ift.tt/2tYQO31 6. *Credits* This vulnerability was discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Kaspersky Anti-virus for Linux File Server comes bundled with a Web Management Console to monitor the application’s status and manage its operation. One specific feature allows configuring shell scripts to be executed when certain events occur. This functionality is vulnerable to cross-site request forgery, allowing code execution in the context of the web application as the kluser account. The vulnerability is described in section 7.1. Moreover, it is possible to elevate privileges from kluser to root by abusing the quarantine functionality provided by the kav4fs-control system binary. This is described in section 7.2. Additional web application vulnerabilities were found, including a reflected cross-site scripting vulnerability (7.3) and a path traversal vulnerability (7.4). 7.1. *Cross-site Request Forgery leading to Remote Command Execution* [CVE-2017-9810]: There are no Anti-CSRF tokens in any forms on the web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The following request will update the notification settings to run a shell command when an object is moved to quarantine. For the full list of events refer to the product’s documentation. Note that it is possible to add a script to all existing events in a single request, widening the window of exploitation. The proof-of-concept creates the file /tmp/pepperoni. Shell commands are run as the lower privilege kluser. Payload: /–